Google Maps' spam problem presents genuine security issues

[Permalink]

He recorded calls? How the heck is he planning to escape jail? Seems to me many other security flaw researchers have done much less and been prosecutedā€¦

1 Like

Exactly. Itā€™s one thing to point out that something like that can be done and another to actually do it. Recording calls (especially to a Federal agency) is a serious legal matter even if it wasnā€™t done maliciously.

Our government has made it clear that such a thing is only a ā€œserious legal matterā€ if someone gets taken by a whim and decides to make an example of you, rather than being a ā€œrealā€ legal issue that law enforcement should really worry about, you know? I mean, itā€™s not like this guy was listening to the calls - he was only really collecting metadata, you know. And he didnā€™t target anyone in particular, nor did he target everyone, so itā€™s okay.

That said, yeah, this guy is asking to be thrown under the bus.

I didnā€™t realize this was a real thing. Iā€™d always assumed crap results in the google maps, were just crap, fly-by-night companies that I didnā€™t want to do business with anyway. Itā€™s not like spammers are spending time creating a custom photo and real website and significant numbers of customer reviews is it?

Butā€¦ butā€¦ for a couple days, at least, you can use Google Maps to catch Pokemon!

1 Like

I hadnā€™t heard of it either ā€“ but a bit of searching indicates that crooked locksmith firms in particular have been doing what Cory encountered with Google Maps for years. I guess it works better with things like locksmiths and tow trucks because not hearing about the firm until you tried to use them would be pretty common.

Itā€™s interesting to note that the enabling culprit here is Google Places, which has long been an opening for all sorts of mischief, entire due to the ridiculous manner in which its set-up.

A couple of years ago, a client of mine discovered that a Google Places page existed for their business (an adoption agency) even though they had never created a GP page. They also discovered that the page had an incorrect phone number. Calling that number got you through to the actual agency phone number, but there was an obvious delay in connecting.

They investigated and discovered that a marketer they had worked with had taken it upon themselves to create the GP page (Yes, under Google Places, you donā€™t have to own the business to start a GP page for it.) The phone number rang into the marketerā€™s office, then re-routed to the adoption agency. They were told it was just to measure phone traffic from the GP page, but, obviously, they could well have recorded conversations if they wanted.

The agency went and created their own GP page (with the correct info, phone number, etc.) but, the way Google Places works is if there are competing pages for the same business, the data will slowly become blended, and somehow the ā€œrealā€ information wins out. Itā€™s nuts. Even after the marketer took down his GP page, the two GP pages remained blended for several months until the real page won.

3 Likes

Nothing here really constitutes an attack against Google Maps, or any other Google service for that matter. Itā€™s just a demonstration of the sort of stuff you can do with them as currently provided.

Using powertools to convert your truck into a tank a-team style isnā€™t an attack on the hardware store.

Might lead to one though.

2 Likes

Just goes to show that this new-fangled Google stuff is no replacement for your goodā€™ol, reliable Yellow Pages!

2 Likes

I have a friend whose home phone number and building street address (but not apartment number) somehow ended up associated with the embassy of an African nation.

It now shows up in Google Maps, Citysearch and Yahoo Local, but also in Superpages.com, Dexknows.com, Yellowpages.com, Switchboard.com and other phone directory sites. I havenā€™t seen a physical phone book to see if itā€™s listed there, too. The friend has absolutely no idea how his info came to be associated with the country in question.

2 Likes

Well, google maps has always sucked quite badly at producing decent results for nearby relevant businesses, so much so that yelp is better (and given how much yelp sucks, thatā€™s saying quite something). Just yesterday I was trying to find an excellent seafood market about a mile from my house whose name Iā€™d blanked on - google maps spat up all kinds of random diners and places like trader joes, but never the market in question. I finally found it using yelp, then just to test, typed the name of the place (which includes the words ā€˜seafoodā€™ and ā€˜marketā€™) into google maps which promptly displayed it (so they had it in their database). Kind of odd given how good their regular search is.

Oh no, thatā€™s not true. Merely pointing out the security hole gets you prosecuted now.

He went to the Secret Service and demonstrated the exploit to them, after it got some traction on Mikeā€™s blog. It certainly got theirs and Googleā€™s attention.

Microsoft is performing a valuable (red team) service to the g+ design team. Hopefully, Maps will be the next Google service to be put behind Google encrypt everything wall and phishers, cookie pushers and other malefactors masquerading as advertisers will get the same treatment.

While I am bothered by Googleā€™s lack of security, I have to ask why Microsoft is tasking experienced engineers with breaking into Google services instead of fixing their own holes which even a ten year old could go through?

Bryan doesnā€™t work for Microsoft.

No one at Microsoft is breaking into Googleā€™s services. Bryan doesnā€™t work for Microsoft.

This topic was automatically closed after 5 days. New replies are no longer allowed.